Chris Hughes, Tony Turner

Software Transparency (eBook, PDF)

Supply Chain Security in an Era of a Software-Driven Society
Redaktion: Springett, Steve

• Format: PDF

Produktbeschreibung

Discover the new cybersecurity landscape of the interconnected software supply chain In Software Transparency: Supply Chain Security in an Era of a Software-Driven Society, a team of veteran information security professionals delivers an expert treatment of software supply chain security. In the book, you'll explore real-world examples and guidance on how to defend your own organization against internal and external attacks. It includes coverage of topics including the history of the software transparency movement, software bills of materials, and high assurance attestations. The authors examine the background of attack vectors that are becoming increasingly vulnerable, like mobile and social networks, retail and banking systems, and infrastructure and defense systems. You'll also discover: * Use cases and practical guidance for both software consumers and suppliers * Discussions of firmware and embedded software, as well as cloud and connected APIs * Strategies for understanding federal and defense software supply chain initiatives related to security An essential resource for cybersecurity and application security professionals, Software Transparency will also be of extraordinary benefit to industrial control system, cloud, and mobile security professionals.

---

Dieser Download kann aus rechtlichen Gründen nur mit Rechnungsadresse in A, B, BG, CY, CZ, D, DK, EW, E, FIN, F, GR, HR, H, IRL, I, LT, L, LR, M, NL, PL, P, R, S, SLO, SK ausgeliefert werden.

Produktdetails

• Verlag: John Wiley & Sons
• Seitenzahl: 336
• Erscheinungstermin: 27. April 2023
• Englisch
• ISBN-13: 9781394158508
• Artikelnr.: 67973072

Autorenporträt

CHRIS HUGHES is the co-founder and Chief Information Security Officer of Aquia. He is an Adjunct Professor for M.S. Cybersecurity programs at Capitol Technology University and the University of Maryland Global Campus, and a co-host of the Resilient Cyber Podcast. TONY TURNER has 25 years' experience as a cybersecurity engineer, architect, consultant, executive, and community builder. He is the Founder of Opswright, a software company creating solutions for security engineering in critical infrastructure and leads the OWASP Orlando chapter.

Inhaltsangabe

Foreword xxi

Introduction xxv

Chapter 1 Background on Software Supply Chain Threats 1

Incentives for the Attacker 1

Threat Models 2

Threat Modeling Methodologies 3

Stride 3

Stride- LM 4

Open Worldwide Application Security Project (OWASP) Risk- Rating Methodology 4

Dread 5

Using Attack Trees 5

Threat Modeling Process 6

Landmark Case 1: SolarWinds 14

Landmark Case 2: Log4j 18

Landmark Case 3: Kaseya 21

What Can We Learn from These Cases? 23

Summary 24

Chapter 2 Existing Approaches-- Traditional Vendor Risk Management 25

Assessments 25

SDL Assessments 28

Application Security Maturity Models 29

Governance 30

Design 30

Implementation 31

Verification 31

Operations 32

Application Security Assurance 32

Static Application Security Testing 33

Dynamic Application Security Testing 34

Interactive Application Security Testing 35

Mobile Application Security Testing 36

Software Composition Analysis 36

Hashing and Code Signing 37

Summary 39

Chapter 3 Vulnerability Databases and Scoring Methodologies 41

Common Vulnerabilities and Exposures 41

National Vulnerability Database 44

Software Identity Formats 46

Cpe 46

Software Identification Tagging 47

Purl 49

Sonatype OSS Index 50

Open Source Vulnerability Database 51

Global Security Database 52

Common Vulnerability Scoring System 54

Base Metrics 55

Temporal Metrics 57

Environmental Metrics 58

CVSS Rating Scale 58

Critiques 59

Exploit Prediction Scoring System 59

EPSS Model 60

EPSS Critiques 62

CISA's Take 63

Common Security Advisory Framework 63

Vulnerability Exploitability eXchange 64

Stakeholder- Specific Vulnerability Categorization and Known Exploited Vulnerabilities 65

Moving Forward 69

Summary 70

Chapter 4 Rise of Software Bill of Materials 71

SBOM in Regulations: Failures and Successes 71

NTIA: Evangelizing the Need for SBOM 72

Industry Efforts: National Labs 77

SBOM Formats 78

Software Identification (SWID) Tags 79

CycloneDX 80

Software Package Data Exchange (SPDX) 81

Vulnerability Exploitability eXchange (VEX) and Vulnerability Disclosures 82

VEX Enters the Conversation 83

VEX: Adding Context and Clarity 84

VEX vs. VDR 85

Moving Forward 88

Using SBOM with Other Attestations 89

Source Authenticity 89

Build Attestations 90

Dependency Management and Verification 90

Sigstore 92

Adoption 93

Sigstore Components 93

Commit Signing 95

SBOM Critiques and Concerns 95

Visibility for the Attacker 96

Intellectual Property 97

Tooling and Operationalization 97

Summary 98

Chapter 5 Challenges in Software Transparency 99

Firmware and Embedded Software 99

Linux Firmware 99

Real- Time Operating System Firmware 100

Embedded Systems 100

Device- Specific SBOM 100

Open Source Software and Proprietary Code 101

User Software 105

Legacy Software 106

Secure Transport 107

Summary 108

Chapter 6

Rezensionen

"Starting this book off with a proper threat model is precisely what's needed as a frame for such an important problem. Supply chain risk is complicated, it's changing quickly, and the defensive measures often involve multiple teams which drives up the complexity. The insights captured throughout this book are absolutely necessary for the state of software security today and having the proper context and frame of the problem space as you read it will help get the most of it."
--Robert Wood, CISO of Centers for Medicare and Medicaid (CMS)

"This is a very good book. It achieves something that I don't think anyone else has even attempted: provide an encyclopedic account of guidelines, best practices, regulations, and current efforts to secure the software supply chain. The best aspect of this book is that someone (like me) who is primarily involved with just one aspect of software supply chain security can benefit from a well-informed treatment of the subject from different aspects, yet still have a reference tool to return to later, when the need arises to learn about other topics within this already vast discipline."
--Tom Alrich